fix: amm-1927 security fix to prevent res headers for unallowed origins #118
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
| return Arrays.stream(allowedOrigins.split(",")).map(String::trim).anyMatch(pattern -> { | ||
| String regex = pattern.replace(".", "\\.").replace("*", ".*").replace("http://localhost:.*", | ||
| "http://localhost:\\d+"); // special case for wildcard port | ||
| String regex = pattern.replace(".", "\\.").replace("*", ".*"); |
There was a problem hiding this comment.
The removal has also worked with dev with common-api, not sure if it had any effect
There was a problem hiding this comment.
yes but this is help for digit restrict
📋 Description
JIRA ID: AMM-1927
🎯 Summary
This PR transforms the CORS implementation from an overly restrictive, maintenance-heavy configuration to a secure, environment-aware, and developer-friendly approach. By removing endpoint-specific restrictions and fixing critical security vulnerabilities, we achieve:
Better Security: Environment-controlled origins, no hardcoded localhost, immutable configuration
Simpler Code: No endpoint-specific configuration, reduced maintenance
Proper Architecture: CORS handles browser security, endpoints handle authorization
Standard Compliance: Full REST API support including PATCH method
Result: A production-safe, maintainable CORS implementation that follows security best practices and reduces operational overhead.
✅ Type of Change
🐞 Bug fix (non-breaking change which resolves an issue)